Lucene search
K

11 matches found

EUVD
EUVD
added 4 hours ago3 views

EUVD-2026-40416

yudao-cloud before 2026.06 contains a broken access control vulnerability in the BPM module that allows any authenticated user to access arbitrary process instance records by supplying a caller-controlled process-instance identifier to an unprotected endpoint lacking the @PreAuthorize annotation...

7.1CVSS5.9AI score
Exploits0References4
NVD
NVD
added 2026/06/15 11:16 p.m.10 views

CVE-2026-48599

Authorization Bypass Through User-Controlled Key vulnerability in elixir-grpc grpc allows authenticated attackers to access or modify resources belonging to other users by smuggling a conflicting value for any path-bound field via the query string or request body. In...

7.6CVSS0.00273EPSS
Exploits0References4
Snyk
Snyk
added 2026/06/12 4:39 p.m.6 views

Incorrect Authorization

Overview chromadb is a Chroma. Affected versions of this package are vulnerable to Incorrect Authorization due to improper evaluation of permissions in the SimpleRBACAuthorizationProvider function. An attacker can gain unauthorized access to resources across different tenants by exploiting the la...

9.6CVSS5.3AI score0.00237EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/10 12:0 a.m.10 views

PT-2026-48434

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, PUT /smon/check app/routes/smon/routes.py:117-138 gates only on roxywi common.check user group for flask — which validates that the caller has some group, not that the target chec...

9.1CVSS5.8AI score0.00196EPSS
Exploits0References2
NVD
NVD
added 2026/06/08 8:17 p.m.12 views

CVE-2026-49141

WACRM prior to commit 73041bf contain an authorization bypass vulnerability in the automation engine that allows authenticated attackers to access and modify contacts belonging to other tenants by supplying an arbitrary caller-controlled contactid in the POST request body without tenant ownership...

7.1CVSS0.00216EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/05/18 1:48 p.m.29 views

CVE-2026-41947 Dify < 1.14.2 Authorization Bypass via Trace Configuration Endpoints

Dify before version 1.14.2 contains an authorization bypass vulnerability that allows authenticated editor users to set and enable trace configurations for any application regardless of tenant ownership. Attackers can exploit missing tenant ownership checks in the trace configuration endpoints to...

9.3CVSS5.8AI score0.00453EPSS
Exploits1References6
CNNVD
CNNVD
added 2026/05/18 12:0 a.m.11 views

dify 安全漏洞

Dify is an open-source LLM application development platform created by LangGenius. Versions of Dify prior to 1.14.1 contained security vulnerabilities. These vulnerabilities were due to an authorization bypass issue, which allowed authenticated users to modify user settings and enable tracking...

9.3CVSS5.8AI score0.00453EPSS
Exploits1References6
CNNVD
CNNVD
added 2026/05/14 12:0 a.m.12 views

hatchet 安全漏洞

Hatchet is an open-source backend task and AI workflow orchestration engine developed by Hatchet. Versions of Hatchet prior to 0.83.39 contained security vulnerabilities. These vulnerabilities stemmed from the lack of authorization instructions for the GET /api/v1/stable/dags/tasks endpoint,...

6.5CVSS5.8AI score0.00181EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/06 9:59 p.m.8 views

Authorization Bypass Through User-Controlled Key

Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key in the GET /api/v1/stable/dags/tasks endpoint via improper tenant checks in the listTasksByDAGIds function. An attacker can access sensitive task metadata belonging to other tenants by...

6.5CVSS5.8AI score0.00181EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2025/08/18 9:0 p.m.11 views

Capsule tenant owners with "patch namespace" permission can hijack system namespaces label

Summary A namespace label injection vulnerability in Capsule v0.10.3 allows authenticated tenant users to inject arbitrary labels into system namespaces kube-system, default, capsule-system, bypassing multi-tenant isolation and potentially accessing cross-tenant resources through TenantResource...

9CVSS7.9AI score0.00437EPSS
Exploits0References5Affected Software1
RedHat Linux
RedHat Linux
added 2014/05/29 8:15 p.m.4 views

openstack-neutron: insufficient authorization checks when creating ports

The l3-agent in OpenStack Neutron 2012.2 before 2013.2.3 does not check the tenant id when creating ports, which allows remote authenticated users to plug ports into the routers of arbitrary tenants via the device id in a port-create command...

2.1CVSS5.9AI score0.01433EPSS
Exploits0References4
Rows per page
Query Builder